Over the past decade, the mobile device has evolved from a voice-centric device into a mobile personal computer. No longer just a device for voice communications, the mobile device has become a multitasking tool, useful for activities such as emailing and web browsing. The current trends for mobile devices are toward the mimicking of desktop functionality. As a result, mobile devices are becoming enterprise endpoints with rich applications and core enterprise connectivity. Because an enterprise may need to specifically provision a mobile device for accessing restricted data, an employee may either have to sacrifice a personal device for dedicated enterprise use or carry two devices, one personal and one for enterprise use, to work.
From an end-user perspective, it is desirable to consolidate the personal mobile device with the enterprise device. Virtualization offers an opportunity to provide a convenient solution by preserving isolation of environments without requiring a second physical enterprise device. Supporting a personal environment and a work environment through virtualization on a personal mobile device represents an attractive alternative to existing solutions involving multiple physical mobile devices. The rapid pace of hardware advances in mobile devices over the past several years has led to a class of mobile devices with resources capable of supporting multiple environments (e.g., one or more virtual phones) through virtualization.
Virtualization on a mobile device, however, presents its own challenges. On a conventional computer, a virtualization layer running on the computer, also referred to as a hypervisor, typically has access to privileged resources, which are otherwise not available to an application running in user mode. On a mobile device, such privileges would not typically be available to a separate virtualization layer or hypervisor running on top of the mobile device's operating system in user mode. As such, when provisioning mobile devices with a traditional hypervisor, the developer often has to partner with carriers and original equipment manufacturers (OEMs), so that the hypervisor can be tightly coupled to the underlying operating system of the mobile device and gain access to privileged resources. Such requirements increase the developer's time to market and limits its market coverage to specific phone models and carrier networks.
VMware's Horizon Mobile platform provides enterprise management of an isolated virtual machine (VM) on employee owned smartphones by offering two mobile device personas—a work and a home phone—on a single mobile device via virtualization techniques. Providing a work environment in a VM running on a employee's personal phone facilitates a Bring Your Own Device (BYOD) approach to managing IT resources in an enterprise, in which an IT department can provide an employee the freedom to select their own device and provision it with an isolated VM containing work-related applications and secure access to employer's data and other resources. A hypervisor and on-device management components running on top of the mobile devices operating system enable the VM to be managed remotely by the enterprise, while the home environment remains under the control of the employee.
Enterprise security goals include protecting sensitive information on the mobile device, data exchanges between the device and the corporate intranet and access to data or services within the corporate intranet. A security threat may arise from untrusted applications in the host environment (e.g., Trojans, spyware, and other malware). Virtual Private Networks (VPN) allow end users to utilize restricted resources on a protected network. Typically, the user experience after proper authentication and establishment of a VPN connection is indistinguishable from being physically on-site and using the protected network directly. However, a typical VPN connection on a device provides the VPN tunnel to all the applications, which implies that every application running on system having an active VPN connection has access to the protected network. Therefore, discretionary control of which software components on a mobile device can access a VPN connection is desirable.